I'm trying to validate the Webhooks that we are receiving to our PHP (Laravel) application. In Shopify the credentials I'm using are set up through a private internal app. I'm using the shared key depicted here in our admin. (I've also tried all of the keys for fun). I'm registering our Webhooks subscriptions via the API, so I don't think I need the Webhooks key that is shown when you set up the subscriptions up in the admin.
$secret = utf8_encode(config('shopify.api_shared_secret')); // key from screenshot
$body = utf8_encode(file_get_contents('php://input')); // have also tried pulling the response from the request itself
$calculatedDigest = base64_encode(
$receivedDigest = $event->hmac; // X-Shopify-Hmac-Sha256 header as is
hash_equals($receivedDigest, $calculatedDigest) // never true
I've tried with and without the utf8_encode calls. After browsing this forum I thought that might help.
I can't tell what I'm missing bud the hash_equals call always fails. Does anyone see something I'm missing?